France: Council of State rejected appeals against sanctions on pseudonymised health data and reidentification risk (National Commission on Informatics and Liberty v GERS, Santestat, and Cegedim Santé)

On 13 February 2026, the Council of State rejected three appeals brought by GERS, including as successor to Santestat, and by Cegedim Santé against administrative fines imposed by the National Commission on Informatics and Liberties (CNIL) for unlawful processing of health data. The Court held that pseudonymised data contained in the two health databases, “Thin” and “Gers Études clients”, remained personal data under the General Data Protection Regulation (GDPR) because reidentification was possible by reasonable means. The datasets included detailed elements such as age, medical treatments, timestamps, and professional identifiers, making individual identification feasible without disproportionate effort. The Court found no serious difficulty in interpreting the “reasonable means” test under the GDPR and therefore refused to refer a preliminary question to the Court of Justice of the European Union. As the processing was carried out without obtaining data subjects’ consent and without complying with the authorisation regime applicable to health data under Article 66 of the French Data Protection Act, the CNIL had lawfully found infringements. The Court further confirmed that Cegedim Santé’s software unlawfully imported reimbursement data from a national health insurance tele-service, resulting in a breach of the lawfulness principle under Article 5(1)(a) GDPR. The Council of State upheld the proportionality of the individual fines of EUR 800’000, EUR 200’000, and EUR 800’000, as well as the publication of the sanction against Cegedim Santé.